On July 28, 2011, DDTC posted guidance on its website regarding the interpretation and implementation of the new exemption under 22 CFR §126.18 of the International Traffic in Arms Regulations (ITAR), which allows for the transfer of unclassified ITAR-controlled defense articles, including technical data, to dual nationals or third-country nationals (DN/TCNs) who are “bona fide, regular employees, directly employed by” a “foreign business entity, foreign governmental entity, or international organization” that is an approved foreign end-user, consignee, or sublicensee (hereinafter, “authorized entity”). According to DDTC’s guidance, a “dual national” is “an individual who holds nationality from the country of their employer who is a foreign licensee (or sublicensee) to the agreement, and also holds nationality from one or more additional countries.” A “third country national” is “an individual who holds nationality from a country other than the country of their employer who is a foreign licensee (or sublicensee) to the agreement.”

The new rule becomes effective on August 15, 2011.  DDTC’s recently posted guidance with respect to this exemption includes:

Answers to a list of Frequently Asked Questions (FAQs);

Implementation considerations for companies considering using the exemption (Implementation Considerations); and

Guidelines for implementing the new dual national/third-country national policy for agreements (Agreement Guidelines). Implementation of the §126.18 Exemption:

In order to be covered by the exemption, transfers must be to DN/TCN “bona fide, regular employees,”[1] and must (1) occur: (a) within the physical territory where the end-user is located, (b) where the governmental entity or international organization conducts official business, or (c) where the consignee operates, and (2) be within the scope of the approved export license, other export authorization, or a license exemption applicable to the authorized entity.

If an entity meets the conditions above, it must also require, prior to transferring ITAR-controlled defense articles, that its regular employees either (1) maintain a security clearance approved by the host nation government, or (2) be screened for “substantive contacts” with countries subject to an arms embargo under §126.1(a) or which present diversion risks and execute non-disclosure agreements (NDAs) regarding the unauthorized transfer of defense articles. DDTC’s FAQs clarify that any level of security clearance, approved by the host government, is acceptable to meet the requirements of §126.18(c)(1). In other words, it appears that a foreign equivalent of a “confidential” clearance is sufficient. However, because host government security clearances would typically only be granted when an employee has a need to access classified information (whether domestic or foreign), many entities wishing to transfer only unclassified, ITAR-controlled data to their employees may find themselves in the position of having to screen for “substantive contacts” in order to use the exemption. 

Under §126.18, “substantive contacts” may include the following:

  • Regular travel;
  • Recent or continuing contact with agents, brokers, and nationals;
  • Continued demonstrated allegiance;
  • Maintenance of business relationships with persons;
  • Maintenance of a residence;
  • Receiving salary or other continuing monetary compensation; or
  • Acting otherwise indicating a risk of diversion.

We noted in our prior advisory that although some types of potential “substantive contacts” are listed in §126.18, the quantitative and qualitative elements of such contacts are not delineated in the rule. DDTC’s guidance does little to clarify the scope or weight that should be given to each of its listed examples, but the Implementation Considerations do list the following contacts as those which that should be assessed with particular carefully by an authorized entity:

  • Contacts with government or military officials, agents, or proxies;
  • Business contacts (focusing on the nature of the business and its legitimacy);
  • Family contacts with individuals who pose a risk of diversion;
  • Non-family contacts with individuals who acquire and sell defense articles for profit or monetary gain, who work for or with front companies, or who work for criminal or terrorist organizations;
  • The totality of continuing connections to a third country, including carrying a passport of that country, casting ballots for elections in that country, currently or previously holding an official position within that country, and prior employment with the government of that country;
  • Frequent travel to a third country; and
  • Maintaining a residence in a third country. 

Certain of these “substantive contacts” screening elements in DDTC’s guidance, including the emphasis on family contacts, potentially perpetuate the privacy and human rights law concerns existing in many foreign jurisdictions. Also of note is DDTC’s brief discussion of prior employment in relation to the analysis of continuing connections to a third country. DDTC states that an active or prior contractual relationship or employment with the government of an ITAR §126.1(a) country will generally disqualify an employee from access to ITAR-controlled defense articles and technical data. This seems to leave little room for discretion when it comes to the nature of an employee’s prior employment with the government of an ITAR §126.1(a) country.  It is unclear, for example, whether an individual’s prior fulfillment of a mandatory military service requirement in a §126.1 country would disqualify that person from access to ITAR-controlled technical data.

With respect to the breadth of the “substantive contacts” analysis as a whole, §126.18 states that an authorized entity must screen its employees for “substantive contacts” with the restricted or prohibited countries listed in §126.1. DDTC’s Implementation Considerations, however, appear to go beyond the scope of the regulations by suggesting that the screening should extend further, stating that contacts with individuals from other countries “with a pattern of diverting defense articles” are also of concern. The breadth of a screening procedure that includes countries beyond those listed in §126.1 could pose significant practical implementation challenges for those seeking to comply with the exemption, including determining which countries, other than those listed in §126.1, have demonstrated a pattern of diversion. 

The detailed sample questionnaire provided by DDTC in the Implementation Considerations, which DDTC suggests is one possible way for authorized entities to comply with the screening requirements in §126.18, contains 17 questions relating to an employee’s contacts with a third country. The nature of the questions suggest that the screening process under §126.18(c)(2) has the potential to be quite burdensome. In fact, the sample questionnaire posted by DDTC contains more specific questions in some instances than appear in standard security clearance application forms. The Implementation Considerations do not suggest how frequently the questionnaire responses would need to be updated, which would affect the amount of time and resources that a company would need to devote to the screening process. 

In light of the ambiguities with regard to the scope of the substantive contacts analysis, as well as potential concerns regarding foreign privacy and human rights laws, companies may – when possible – elect to seek opportunities to have their employees obtain security clearances under §126.18(c)(1) in order to forego screening for substantial contacts under §126.18(c)(2).  (But, as noted above, obtaining the necessary security clearances may not always be possible unless an employee has a need to know classified information for purposes of his or her job.)  Alternatively, as discussed below in “Option 2,” companies may simply elect to continue to use the approval method for DN/TCNs that was in place prior to the §126.18 exemption.

Guidelines for New or Previously Approved Agreements:

New Agreements

Once the §126.18 exemption goes into effect on August 15, 2011, all MLA and TAAs entered into thereafter will have to contain the new verbatim clause in §124.8(5), which states:

The technical data or defense service exported from the United States in furtherance of this agreement and any defense article which may be produced or manufactured from such technical data or defense service may not be transferred to a foreign person except pursuant to §§124.16 and 126.18, as specifically authorized in this agreement, or where prior written approval of the Department of State has been obtained.

Section 124.8(5) identifies three different potential options for a party to pursue in order to enable the transfer technical data or defense services to a foreign person. These options, as articulated in the Agreement Guidelines, are as follows:

  • Option 1 (Foreign Vetting): The foreign parties make the determination on the applicability of §124.16 and/or vet their own DN/TCNs pursuant to §126.18. This method places the ultimate responsibility of vetting DN/TCNs with the foreign parties. In making such determinations pursuant to §126.18, substantive contact with risk of diversion is the determining factor, not country of origin. This option is only applicable to unclassified transactions.
  • Option 2 (DDTC Vetting): The applicant identifies the countries of the foreign parties’ DN/TCNs pursuant to §124.8(5) and §124.16 in the agreement. This method places the ultimate responsibility of vetting DN/TCNs with DDTC. When DDTC is requested to make the determination, DDTC does consider the country of origin or birth in addition to citizenship. A request pursuant to §124.8(5) under Option 2 can cover classified as well as unclassified transactions.
  • Option 3 (Foreign GC): Foreign party requests approval of a specific DN/TCN individual directly with DDTC via a General Correspondence letter. This method places the ultimate responsibility of vetting a specific DN/TCN with DDTC and is to be used as a last resort when the foreign party cannot make their own determination on the risk of diversion using Option 1. This option is not tied to a specific transaction but provides authority for involvement of the specific individual in any future authorization.

The Agreement Guidelines lay out in detail the language that applicants must use in their agreements in order to inform DDTC that DN/TCNs will be vetted under Option 1 or Option 2. Option 3 is different, because it acts as a back-up vetting procedure for a party that has chosen Option 1, but is unable to definitively complete its “substantive contacts” analysis under §126.18. The authorization that results from Option 3 is not tied to a particular transaction, but rather allows a specific individual to be involved in any future authorizations for the company going forward.

It is unclear exactly when, under Option 3, DDTC expects to be involved in the “substantive contacts” analysis. Section 126.18(c)(2) of the new rule states that “an employee who has substantive contacts with persons from countries listed in §126.1(a) shall be presumed to raise a risk of diversion, unless DDTC determines otherwise.” The Agreement Guidelines note that in accordance with §126.18(c)(2), “DN/TCNs with substantive contacts with persons from countries listed in §126.1(a) must be identified to DDTC for a final determination” (emphasis original). This language strongly suggests that once a “substantive contact” with a §126.1(a) country has been identified, it is up to DDTC to determine whether there is an actual risk of diversion due to the “substantive contact.” However, in describing Option 3 elsewhere in its guidance, DDTC says that the General Correspondence “is to be used as a last resort when the foreign party cannot make their own determination on the risk of diversion using Option 1” (emphasis added). Similarly, in response to a FAQ about whether a foreign company may seek confirmation from DDTC about whether something is a “substantive contact,” DDTC says that “the foreign company should first seek to work out whether something is a “substantive contact” and of concern in a specific instance as this is a discretionary standard” (emphasis added). This language suggests that once a substantive contact is identified, DDTC expects a company to analyze the risk of diversion on its own, and only to consult DDTC if such an analysis regarding the risk of diversion (rather than the existence of a substantive contact) is inconclusive. 

Despite the somewhat inconsistent message in DDTC’s guidance, the language of the rule itself makes clear that a company should not determine on its own that there is no risk of diversion once it has concluded that a DN/TCN has “substantive contacts” with a 126.1(a) country. Instead, the company should disclose the nature of the “substantive contact” to DDTC under Option 2 or Option 3, include its analysis of the diversion risks, and let DDTC make the ultimate decision with respect to authorization. 

Previously Approved Agreements

In the Agreement Guidelines, DDTC provides a detailed explanation of when and how applicants should amend agreements that are already in place in order to use the new rule and insert the updated verbatim clause in §124.8(5). DDTC explains that an applicant must amend an already approved agreement in order to use Option 1, and the agreement must be executed prior to implementation. The details for exactly how the agreement should be amended, and the language that should be included, are laid out in the Agreement Guidelines. In the case of agreements that have specific proviso(s) restricting or removing DN/TCNs from the agreement, the applicant must submit the agreement for proviso reconsideration in order to implement Option 1. 

If foreign parties do not intend to use Option 1, an amendment to currently approved agreements is not necessary. Rather, the existing agreement may continue as is until there is a need to submit a substantive amendment pursuant to §124.1(c). At that time, the §124.8(5) verbatim clause in the agreement should be replaced with the new §124.8(5) verbatim clause laid out above. 


The guidance provided by DDTC is intended to provide companies with greater insight into how the screening process for substantive contacts should be implemented, as well as a detailed roadmap for companies to follow when drafting or amending agreements in order to comply with the requirements of the new exemption. With respect to the latter goal, the Agreement Guidelines are thorough, and should provide companies with a great deal of insight when it comes to the language that should be used in their agreements. 

The Implementation Considerations, on the other hand, raise many questions about the scope of the new exemption. DDTC’s guidance suggests that screening for substantive contacts may be broader and more burdensome than the final rule indicated. Further, it remains unclear exactly how a company should weigh and evaluate potential substantive contacts. Accordingly, it may be the case that many companies forego screening for substantive contacts, and either seek security clearances, where possible, or continue to use Option 2 above, placing the vetting burden on DDTC.